AT&T. Layer 6-8 needed.

Shon wrote:

Seth,

I said it could be, not that it is. Thanks for pointing that out. However,

I

believe the reason they are being blocked at AT&T is the main reason I

supplied

on my first post. The DDoS attack issue is the main ticket here.

The ACK storms arent coming from the 4chan servers
It's just like the DNS attack (IN/NS/.). It points to the stupidity of AT&T
uppers
SANS: Are you or arent you soliciting data? I have some to confirm also

It's not
because of content, or to piss people off. It's to protect their network,

as any

of you would do when you got DDoSed on your own networks.

They are going to get some first hand experience in what Protecting their
Network
involves real soon, now. Blocking 4chan was an exercise in Stupidity

It's damage control,

It's a damage challenge.

essentially, until they find out who is involved and block them, then

they'll

likely lift the block.

They don't have the right to do this. Not in their TOS/EULA/User-Agreement.
Not in any sane legal forum. (I*A*AL)

This ISN'T the first time this has happened.

Exactly.

Now you see the problem ?

We'll take data from **Trusted** sources.

I'm just not going to take a public open mailing list post as evidence

Uh.
  You posted on Twitter.

  The most trusted name in [?]

Someone else posted on twitter, I saw it recently.

To make it even clearer, we'll take your data, sure. Just don't expect us to jump on it until we verify with something solid.

chris rollin wrote:

chris rollin wrote:

Shon wrote:

Seth,

I said it could be, not that it is. Thanks for pointing that out. However,

I

believe the reason they are being blocked at AT&T is the main reason I

supplied

on my first post. The DDoS attack issue is the main ticket here.

The ACK storms arent coming from the 4chan servers
It's just like the DNS attack (IN/NS/.). It points to the stupidity of AT&T
uppers
SANS: Are you or arent you soliciting data? I have some to confirm also

Actually, they are. They are returning responses to hundreds of thousands of
SPOOFED SYN requests. Where do you think those are gonna go? The ACKs are gonna
come back to the network in which IPs were SPOOFed from, essentially, causing a
DDoS on a network not even really involved.

It's not
because of content, or to piss people off. It's to protect their network,

as any

of you would do when you got DDoSed on your own networks.

They are going to get some first hand experience in what Protecting their
Network
involves real soon, now. Blocking 4chan was an exercise in Stupidity

Is that some kind of threat or what? Why would you even make a statement like that?

It's damage control,

It's a damage challenge.

essentially, until they find out who is involved and block them, then

they'll

likely lift the block.

They don't have the right to do this. Not in their TOS/EULA/User-Agreement.
Not in any sane legal forum. (I*A*AL)

They don't have the right to protect their network? So you're saying, if someone
is DDoSing your network either direct or indirect, the network operator is just
supposed to sit there and do nothing while all of it's customers get crappy
internet service because of something they probably don't even know about or
care about.

This ISN'T the first time this has happened.

Don't cut it off there. This ISN'T the first time it's happened, as 4chan goes
through DDoSes from script kiddies on a regular basis, and it harms lots of
networks along the way in the process.

Exactly.

Now you see the problem ?

The problem is the DDoS attacks. Not AT&T. 4chan's users constantly instigate
this. Chris Poole needs to do more than just sit back and watch. He needs to
start collecting this information and turning it in to the authorities, because
all of this is convered under domestic terrorism as a cyber-crime. I'm betting
there's reasons why he hasn't. He's afraid to get into trouble himself on some
of the content that's posted to /b/... whether it's there 5 seconds or 5 minutes.

chris rollin wrote:
> Shon wrote:
>
> Seth,
>
>> I said it could be, not that it is. Thanks for pointing that out. However,
> I
>> believe the reason they are being blocked at AT&T is the main reason I
> supplied
>> on my first post. The DDoS attack issue is the main ticket here.
>
> The ACK storms arent coming from the 4chan servers
> It's just like the DNS attack (IN/NS/.). It points to the stupidity of AT&T
> uppers
> SANS: Are you or arent you soliciting data? I have some to confirm also
>

Actually, they are. They are returning responses to hundreds of thousands of
SPOOFED SYN requests. Where do you think those are gonna go? The ACKs are gonna
come back to the network in which IPs were SPOOFed from, essentially, causing a
DDoS on a network not even really involved.

{citation needed}.

It is possible to send spoofed ACK responses without the SYN ever
happening in the first place. At any rate, you would think that if this
was really going on that status.4chan.org would have an update on the
topic.

It is widely known that AT&T loves censorship. They love censorship
because it is profitable for them to love censorship, and this isn't the
first time they have enmasse blocked access to a website they didn't
like. This has nothing at all to do with forged ACK responses, and
everything to do with content.

AT&T does not have the right to filter what their users can access,
period. You can put all the spin on it that you want, but in the end
it's about content.

If this was about protecting their network, then they could do that in a
different way, period end of story.

>> It's not
>> because of content, or to piss people off. It's to protect their network,
> as any
>> of you would do when you got DDoSed on your own networks.
>
> They are going to get some first hand experience in what Protecting their
> Network
> involves real soon, now. Blocking 4chan was an exercise in Stupidity
>

Is that some kind of threat or what? Why would you even make a statement like that?

Do not underestimate the power of teenagers living in their parents'
basement. There's a lot of them, and they can't access their favourite
website anymore.

This is going to result in a lot of these families switching to Cable or
an alternative DSL provider.

>> It's damage control,
>
> It's a damage challenge.
>
>> essentially, until they find out who is involved and block them, then
> they'll
>> likely lift the block.
>
> They don't have the right to do this. Not in their TOS/EULA/User-Agreement.
> Not in any sane legal forum. (I*A*AL)
>

They don't have the right to protect their network? So you're saying, if someone
is DDoSing your network either direct or indirect, the network operator is just
supposed to sit there and do nothing while all of it's customers get crappy
internet service because of something they probably don't even know about or
care about.

They have the right to protect their network, but not at the cost of
reducing neutrality. But luckily we live in a free market, and AT&T is
about to lose a lot of business because of that block. If I were them,
I would fix it now, and be extremely apologetic about this happening.

>> This ISN'T the first time this has happened.
>

Don't cut it off there. This ISN'T the first time it's happened, as 4chan goes
through DDoSes from script kiddies on a regular basis, and it harms lots of
networks along the way in the process.

No, he means, this isn't the first time AT&T has degraded service as a
matter of policy.

> Exactly.
>
> Now you see the problem ?
>

The problem is the DDoS attacks. Not AT&T. 4chan's users constantly instigate
this. Chris Poole needs to do more than just sit back and watch. He needs to
start collecting this information and turning it in to the authorities, because
all of this is convered under domestic terrorism as a cyber-crime. I'm betting
there's reasons why he hasn't. He's afraid to get into trouble himself on some
of the content that's posted to /b/... whether it's there 5 seconds or 5 minutes.

  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

There you go right there. It's about the content. End of story.

William

William Pitcock wrote:

chris rollin wrote:

Shon wrote:

Seth,

I said it could be, not that it is. Thanks for pointing that out. However,

I

believe the reason they are being blocked at AT&T is the main reason I

supplied

on my first post. The DDoS attack issue is the main ticket here.

The ACK storms arent coming from the 4chan servers
It's just like the DNS attack (IN/NS/.). It points to the stupidity of AT&T
uppers
SANS: Are you or arent you soliciting data? I have some to confirm also

Actually, they are. They are returning responses to hundreds of thousands of
SPOOFED SYN requests. Where do you think those are gonna go? The ACKs are gonna
come back to the network in which IPs were SPOOFed from, essentially, causing a
DDoS on a network not even really involved.

{citation needed}.

It is possible to send spoofed ACK responses without the SYN ever
happening in the first place. At any rate, you would think that if this
was really going on that status.4chan.org would have an update on the
topic.

Regardless of that, I have logs from firewalls to show that it's happening. So
what, do I have to post them here to prove that it's happening?

It is widely known that AT&T loves censorship. They love censorship
because it is profitable for them to love censorship, and this isn't the
first time they have enmasse blocked access to a website they didn't
like. This has nothing at all to do with forged ACK responses, and
everything to do with content.

Yes, they do love censorship. I agree. You got me there.. But for ME it was
about the forged ACK responses. I already lifted my block on it some time ago.
It was temporary while I figured out some other ways to lessen the attack.

AT&T does not have the right to filter what their users can access,
period. You can put all the spin on it that you want, but in the end
it's about content.

I'm not putting any spin on why they did what they did. I'm just stating I know
some of the facts and saying what I did and WHY I did it.

If this was about protecting their network, then they could do that in a
different way, period end of story.

Maybe they can. I don't know the situation. For a small ISP such as us, we don't
have a lot of alternatives. It's not like we're made of AT&T's billions of dollars.

It's not
because of content, or to piss people off. It's to protect their network,

as any

of you would do when you got DDoSed on your own networks.

They are going to get some first hand experience in what Protecting their
Network
involves real soon, now. Blocking 4chan was an exercise in Stupidity

Is that some kind of threat or what? Why would you even make a statement like that?

Do not underestimate the power of teenagers living in their parents'
basement. There's a lot of them, and they can't access their favourite
website anymore.

This is going to result in a lot of these families switching to Cable or
an alternative DSL provider.

I bet if half of the parents knew what their kids were doing on the internet...
this wouldn't be a problem.

It's damage control,

It's a damage challenge.

essentially, until they find out who is involved and block them, then

they'll

likely lift the block.

They don't have the right to do this. Not in their TOS/EULA/User-Agreement.
Not in any sane legal forum. (I*A*AL)

They don't have the right to protect their network? So you're saying, if someone
is DDoSing your network either direct or indirect, the network operator is just
supposed to sit there and do nothing while all of it's customers get crappy
internet service because of something they probably don't even know about or
care about.

They have the right to protect their network, but not at the cost of
reducing neutrality. But luckily we live in a free market, and AT&T is
about to lose a lot of business because of that block. If I were them,
I would fix it now, and be extremely apologetic about this happening.

Okay, so how do YOU block the attacks from eating up your bandwidth and filling
up your logs without blocking the entire IP?

This ISN'T the first time this has happened.

Don't cut it off there. This ISN'T the first time it's happened, as 4chan goes
through DDoSes from script kiddies on a regular basis, and it harms lots of
networks along the way in the process.

No, he means, this isn't the first time AT&T has degraded service as a
matter of policy.

I suppose that's possible. I've been on AT&T's network as a home user and have
not really experienced that before.

Exactly.

Now you see the problem ?

The problem is the DDoS attacks. Not AT&T. 4chan's users constantly instigate
this. Chris Poole needs to do more than just sit back and watch. He needs to
start collecting this information and turning it in to the authorities, because
all of this is convered under domestic terrorism as a cyber-crime. I'm betting
there's reasons why he hasn't. He's afraid to get into trouble himself on some
of the content that's posted to /b/... whether it's there 5 seconds or 5 minutes.

  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

There you go right there. It's about the content. End of story.

No, the problem is that he won't do anything about it. I doubt AT&T is doing it
for censorship reasons, but that's speculation on my part. But don't sit there
and take the second half of my sentence to make a point like that. Chris CAN do
something about it, he just won't. Why do you think that is?

If I was AT&T, I would purchase DDoS filtering equipment and run it at
edge where all of my traffic is peering anyway.

This discussion is about AT&T, not you.

William

William Pitcock wrote:

Seems that ATT has restored access to 4chan as confirmed on
http://www.centralgadget.com/att-blocking-access-to-portions-of-4chan-2336/
and on an IRC I happened to be idleing in.

This only protects ISPs from, upon being served notice, being liable for
content
A majority of the CDA was overturned, as it violates both first and fifth
amendments. What is left of it only applies to ISPs PUBLISHING (*not*
filtering) content

This is Net Neutrality realm

I posted it on Twitter. And I was talking with John at the time. We're observing the information that is coming in, but it's hard to verify something like that when:

A) We haven't heard from our contacts at AT&T.
B) The only information we are seeing "confirming" it is on open mailing lists, and no offense, but given 4chan's proclivity in spreading disinformation extremely well....
C) I don't know if we want to take the word of moot directly from the 4chan website either.

I've read in a couple places that the connectivity is coming back up, I have a hard time believing that AT&T would do this, and even if they did, they did it for a legit reason (maybe a DDOS?)

J

It is widely known that AT&T loves censorship. They love censorship
because it is profitable for them to love censorship, and this isn't the
first time they have enmasse blocked access to a website they didn't
like. This has nothing at all to do with forged ACK responses, and
everything to do with content.

How does breaking things (censorship) make them more money?

http://njabl.org/faq.html#Q12

AT&T does not have the right to filter what their users can access,
period. You can put all the spin on it that you want, but in the end
it's about content.

Whatever happened to "My network, my rules?" If AT&T blocks something, and as an AT&T customer, you don't like it, get your connectivity from someone else.

Because most of the net libertarians insist that they should do
whatever they want and everyone else should help cater to them.

Liberty for me but not for thee.

I am very much of the "my network, my rules" camp.

As soon as att pays back all the gov't subsidies, tax credits, etc., -we- paid them, they can call it -their- network.

Until then, things are a lot murkier.

I"m not a lawyer, but I think that the argument goes something like this...

The common carriers want to be indemnified from the content they carry. In other words, the phone company doesn't want to be held liable for the Evil Plot planned over their phone lines. The price they pay for indemnification is that they must not care about ANY content (including content that competes with content offered by a non-carrier division of the common carrier). If they edit SOME content, then they are acting in the role of a newspaper editor, and have assumed the mantle of responsibility for ALL content.

Carriers can, however, do what they need to do to keep their networks running, so they are permitted disrupt traffic that is damaging to the network.

The seedy side of all of this is that if a common carrier wants to block a particular set of content from a site/network, all they need to do is point out some technical badness that comes from the same general direction. Since the background radiation of technical badness is fairly high from every direction, it's not too hard to find a good excuse when you want one.

David Hiers

CCIE (R/S, V), CISSP
ADP Dealer Services
2525 SW 1st Ave.
Suite 300W
Portland, OR 97201
o: 503-205-4467
f: 503-402-3277

I"m not a lawyer, but I think that the argument goes something like this...

The common carriers want to be indemnified from the content they carry. In other words, the phone company doesn't want to be held liable for the Evil Plot planned over their phone lines. The price they pay for indemnification is that they must not care about ANY content (including content that competes with content offered by a non-carrier division of the common carrier). If they edit SOME content, then they are acting in the role of a newspaper editor, and have assumed the mantle of responsibility for ALL content.

Famous two cases, Prodigy & Compuserve. Overturned many years ago. If you edit "some" content you are not automatically liable for all content.

No ISP is a common carrier. That implies things like "you must provide service to everyone". Some common carriers get orders like "you must provide service in $MIDDLE_OF_NOWHERE".

ISPs can, under certain circumstances, get a "mere conduit" style immunity.

Carriers can, however, do what they need to do to keep their networks running, so they are permitted disrupt traffic that is damaging to the network.

The seedy side of all of this is that if a common carrier wants to block a particular set of content from a site/network, all they need to do is point out some technical badness that comes from the same general direction. Since the background radiation of technical badness is fairly high from every direction, it's not too hard to find a good excuse when you want one.

That, I believe, is much harder. But IANAL.

Hell, I Am Not An ISP even.

I'm not a lawyer either, but I know how ISPs are regulated in the US. The
actual framework is the FCC's "Internet Policy Statement," to wit:

http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-05-151A1.pdf

. To encourage broadband deployment and preserve and promote the open and
interconnected
nature of the public Internet, consumers are entitled to access the lawful
Internet content of
their choice.
. To encourage broadband deployment and preserve and promote the open and
interconnected
nature of the public Internet, consumers are entitled to run applications
and use services of their
choice, subject to the needs of law enforcement.
. To encourage broadband deployment and preserve and promote the open and
interconnected
nature of the public Internet, consumers are entitled to connect their
choice of legal devices that
do not harm the network.13
. To encourage broadband deployment and preserve and promote the open and
interconnected
nature of the public Internet, consumers are entitled to competition among
network providers,
application and service providers, and content providers.14

All of this is subject to a "reasonable network management" exception. There
is some disagreement about what consitututes "reasonable network management"
at the fringes, but the FCC is on record that spam killing and DDOS attack
mitigation are "reasonable." Some people want to add a fifth
"non-discrimination" rule.

In the case of the ISPs and carriers who blocked access to 4chan for a while
Sunday, since that was done in accordance with DDOS mitigation, there's not
any issue as far as the FCC is concerned, but that hasn't prevented the
usual parties from complaining about censorship, etc.

Richard Bennett

Richard Bennett wrote:

In the case of the ISPs and carriers who blocked access to 4chan for a while
Sunday, since that was done in accordance with DDOS mitigation, there's not
any issue as far as the FCC is concerned, but that hasn't prevented the
usual parties from complaining about censorship, etc.

If someone came out and said "Hey, DDOS mitigation, please hold!" that
would be cool, too. Based on the content of 4chan, it's either DDOS or
someone cried about the content. It looked like the latter.

~Seth

Corporate PR staffs don't generally work on Sunday, but when AT&T came into
the office today they drafted this statement:

http://www.att.com/gen/press-room?pid=4800&cdvn=news&newsarticleid=26970

"Beginning Friday, an AT&T customer was impacted by a denial-of-service
attack stemming from IP addresses connected to img.4chan.org. To prevent
this attack from disrupting service for the impacted AT&T customer, and to
prevent the attack from spreading to impact our other customers, AT&T
temporarily blocked access to the IP addresses in question for our
customers. This action was in no way related to the content at
img.4chan.org; our focus was on protecting our customers from malicious
traffic.

"Overnight Sunday, after we determined the denial-of-service threat no
longer existed, AT&T removed the block on the IP addresses in question. We
will continue to monitor for denial-of-service activity and any malicious
traffic to protect our customers.

"Here's more (http://budurl.com/DDoSVideo) on AT&T's efforts to prevent
denial-of-service attacks."

There's obviously a history of DOS attacks to and from 4chan and the
membership over the years, some of it quite righteous. The "Anonymous"
attacks against the Cult of Scientology, for example, were very sweet. But
all you have to do is read the status page that moot posts on 4chan to
realize that they've been the target of a counter-attack for past three
weeks or so.

Richard Bennett